Patch "drm/exynos: vidi: fix to avoid directly dereferencing user pointer" has been added to the 6.6-stable tree
gregkh at linuxfoundation.org
gregkh at linuxfoundation.org
Thu Mar 19 05:01:23 PDT 2026
This is a note to let you know that I've just added the patch titled
drm/exynos: vidi: fix to avoid directly dereferencing user pointer
to the 6.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch
and it can be found in the queue-6.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.
>From stable+bounces-219910-greg=kroah.com at vger.kernel.org Fri Feb 27 06:00:25 2026
From: Jeongjun Park <aha310510 at gmail.com>
Date: Fri, 27 Feb 2026 13:59:52 +0900
Subject: drm/exynos: vidi: fix to avoid directly dereferencing user pointer
To: stable at vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>, Inki Dae <inki.dae at samsung.com>, Seung-Woo Kim <sw0312.kim at samsung.com>, Kyungmin Park <kyungmin.park at samsung.com>, David Airlie <airlied at gmail.com>, Simona Vetter <simona at ffwll.ch>, Krzysztof Kozlowski <krzk at kernel.org>, Alim Akhtar <alim.akhtar at samsung.com>, dri-devel at lists.freedesktop.org, linux-arm-kernel at lists.infradead.org, linux-samsung-soc at vger.kernel.org, linux-kernel at vger.kernel.org, Jeongjun Park <aha310510 at gmail.com>
Message-ID: <20260227045953.165751-3-aha310510 at gmail.com>
From: Jeongjun Park <aha310510 at gmail.com>
[ Upstream commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 ]
In vidi_connection_ioctl(), vidi->edid(user pointer) is directly
dereferenced in the kernel.
This allows arbitrary kernel memory access from the user space, so instead
of directly accessing the user pointer in the kernel, we should modify it
to copy edid to kernel memory using copy_from_user() and use it.
Cc: <stable at vger.kernel.org>
Signed-off-by: Jeongjun Park <aha310510 at gmail.com>
Signed-off-by: Inki Dae <inki.dae at samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
drivers/gpu/drm/exynos/exynos_drm_vidi.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
@@ -252,19 +252,26 @@ int vidi_connection_ioctl(struct drm_dev
if (vidi->connection) {
struct edid *raw_edid;
+ struct edid edid_buf;
+ void *edid_userptr = u64_to_user_ptr(vidi->edid);
- raw_edid = (struct edid *)(unsigned long)vidi->edid;
- if (!drm_edid_is_valid(raw_edid)) {
+ if (copy_from_user(&edid_buf, edid_userptr, sizeof(struct edid)))
+ return -EFAULT;
+
+ if (!drm_edid_is_valid(&edid_buf)) {
DRM_DEV_DEBUG_KMS(ctx->dev,
"edid data is invalid.\n");
return -EINVAL;
}
- ctx->raw_edid = drm_edid_duplicate(raw_edid);
- if (!ctx->raw_edid) {
+
+ raw_edid = drm_edid_duplicate(&edid_buf);
+
+ if (!raw_edid) {
DRM_DEV_DEBUG_KMS(ctx->dev,
"failed to allocate raw_edid.\n");
return -ENOMEM;
}
+ ctx->raw_edid = raw_edid;
} else {
/*
* with connection = 0, free raw_edid
Patches currently in stable-queue which might be from aha310510 at gmail.com are
queue-6.6/drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch
queue-6.6/drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch
queue-6.6/drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch
More information about the linux-arm-kernel
mailing list